blob: 95f1c3a157f8e8a284121480fa6678e2935623c2 [file] [log] [blame]
packages:
- module: mellium.im/xmpp
package: mellium.im/xmpp/websocket
symbols:
- Dialer.config
versions:
- introduced: 0.18.0
fixed: 0.21.1
description: |
An attacker capable of spoofing DNS TXT records can redirect a
WebSocket connection request to a server under their control without
causing TLS certificate verification to fail. This occurs because
the wrong host name is selected during this verification.
cves:
- CVE-2022-24968
ghsas:
- GHSA-m658-p24x-p74r
credit: Travis Burtrum
links:
pr: https://github.com/mellium/xmpp/pull/260
commit: https://github.com/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac
context:
- https://mellium.im/cve/cve-2022-24968/